What is click injection in mobile advertising?

Click injection is a sophisticated form of mobile ad fraud where a malicious app on a user's device detects that another app is being installed and fires a fake ad click just before the install completes. This last-second click steals last-touch attribution credit from the legitimate ad source that actually drove the install.

How does click injection work technically?

On Android, apps can register broadcast receivers that listen for the PACKAGE_ADDED system broadcast. When a new app install begins, the malicious app receives this signal and immediately triggers a fake click to the attribution provider. Because this click is the last one recorded before the install, it wins last-click attribution.

Is click injection only an Android problem?

Click injection primarily affects Android because of the open broadcast system that allows apps to detect when other apps are being installed. iOS does not expose equivalent system-level signals to third-party apps, making click injection significantly harder to execute on Apple devices. However, iOS is not immune to other forms of attribution fraud.

How can I detect click injection?

The primary detection method is analyzing click-to-install time (CTIT) distributions. Click injection produces an unnatural cluster of installs occurring within 0–10 seconds of the attributed click. Legitimate installs show a broader distribution with most occurring minutes to hours after the click.

How much revenue is lost to click injection?

Click injection is one of the most financially damaging fraud types because it targets real installs from real users. Estimates suggest it accounts for 20–30% of all mobile attribution fraud. Because the installs are genuine, the stolen attribution credit comes directly from legitimate ad partners or from organic acquisition budgets.

What is Click Injection? Complete Guide for 2026

How Click Injection Works

Click injection is a precision-targeted form of mobile ad fraud that exploits Android's install broadcast system to steal attribution credit at the exact moment an app is being installed. Unlike click spamming, which relies on volume and probability, click injection is surgically timed to intercept the attribution of specific, real installs.

The attack requires a malicious app already present on the user's device. This app, often disguised as a utility, game, or flashlight app, registers a broadcast receiver for the PACKAGE_ADDED intent. When the Android system begins installing any new app, it broadcasts this intent to all registered listeners. The malicious app receives the signal, identifies the app being installed, and immediately fires one or more fake ad clicks to attribution endpoints associated with that app.

Because mobile attribution typically uses a last-click model, this freshly injected click, arriving milliseconds before the install completes, wins the attribution. The legitimate ad source that actually convinced the user to install the app loses credit. The fraudster, operating through an ad network or sub-publisher, collects the CPI payout for an install they had no role in driving. The user experience is completely unaffected, which makes click injection invisible to the end user.

The Technical Mechanics

Understanding the technical details of click injection helps growth teams appreciate why it is both effective and detectable. The Android operating system uses an intent-based communication system where apps can broadcast and receive system-level events. The PACKAGE_ADDED broadcast is sent when a new package (app) is added to the device, and any app with the appropriate receiver registered in its manifest can listen for it.

The malicious app maintains a mapping of app package names to their associated attribution endpoints and tracking links. When it detects an install for a known app, it constructs a click URL with the device's advertising ID (GAID), device model, OS version, and other parameters that attribution providers use for matching. This click is sent to the ad network's click endpoint, which forwards it to the MMP. The entire process takes milliseconds.

The sophistication of modern click injection goes beyond simple broadcast listening. Advanced variants use accessibility services to detect when a user opens the Play Store and begins browsing a specific app listing, firing the click even before the install begins. Some variants monitor network traffic to detect download initiation. These techniques make the fake click appear more natural in timing, complicating detection efforts that rely solely on CTIT analysis.

Detecting Click Injection

Click-to-install time (CTIT) analysis is the most reliable method for detecting click injection. In a legitimate install flow, the user clicks an ad, is redirected to the app store, reviews the listing, taps install, waits for the download, and opens the app. This process takes at minimum 20–30 seconds and typically several minutes. Click injection produces clicks that occur just seconds before the install is recorded, creating a distinctive spike in the 0–10 second CTIT range.

Plot the CTIT distribution for each traffic source as a histogram. Legitimate sources show a curve that peaks in the 30-second to 5-minute range and tapers off gradually. Sources with click injection show a sharp, unnatural spike at the far left of the distribution, installs attributed within seconds of the click. If more than 10–15% of a source's installs fall within the 0–10 second CTIT window, click injection is highly likely.

Combine CTIT analysis with new device ratio monitoring. Click injection requires a malicious app to already be on the device, which means the affected devices are not new, they have been in use long enough to accumulate apps. If a traffic source shows a high proportion of installs from devices with recent first-seen dates combined with suspiciously short CTIT, the data may be fabricated entirely. Cross-referencing multiple fraud signals strengthens detection confidence significantly.

Prevention and Mitigation

Preventing click injection requires a multi-layered approach combining technical controls, partner management, and measurement infrastructure. At the technical level, Google has taken steps to limit the exploitability of install broadcasts. Starting with Android 8.0, implicit broadcast receivers declared in the manifest are restricted, and apps targeting newer API levels cannot passively listen for PACKAGE_ADDED without being in the foreground. However, older devices and apps targeting lower API levels remain vulnerable.

Linkrunner addresses click injection through intelligent attribution logic that goes beyond simple last-click matching. By analyzing click timing patterns, device signals, and behavioral indicators in real time, Linkrunner can identify and filter injected clicks before they corrupt your attribution data. This means your campaign reporting reflects genuine ad-driven installs, not stolen organic traffic.

On the partner management side, establish clear fraud thresholds in your contracts with ad networks. Define what constitutes unacceptable CTIT distributions and specify the consequences, typically clawbacks or account termination. Share your CTIT analysis with network partners and require them to investigate and remediate flagged sub-publishers. Reputable networks will cooperate because click injection undermines their own credibility.

Financial Impact and Industry Response

The financial damage from click injection is disproportionate to its technical complexity. Because click injection targets real installs from real users, the stolen installs appear high-quality in post-install metrics. The users engage normally, retain at expected rates, and generate revenue, because they were genuine users all along. This makes click injection harder to catch through post-install quality analysis alone and means the financial loss is pure waste with zero incremental value.

Consider a scenario where 25% of your attributed installs from a specific network are actually click-injected organic users. You are paying CPI rates for users who would have installed your app regardless. If your monthly spend with that network is $100,000, you are losing $25,000 per month, $300,000 annually, to a single fraud technique from a single source. Scale this across multiple networks and the losses compound rapidly.

The industry has responded with increasingly sophisticated countermeasures. Google's Play Install Referrer API provides a more secure attribution signal by reporting the exact timestamp when the user first opened the Play Store listing, making it possible to validate whether a click preceded the store visit. MMPs have integrated CTIT-based detection into their standard fraud suites. But the arms race continues, as detection improves, fraudsters develop new evasion techniques, making ongoing vigilance and measurement investment essential for every growth team.